Slashdot Mirror
Ask Slashdot: Using SSH on non-US Sites for Crypto Development?
cesarb droppped this interesting question in my inbox, that I would like to share with you all: "I would like to know if a developer in the U.S. could use telnet or SSH to a box outside the U.S. and help developing a code that uses crypto. If he types a whole file of source code for a crypto algorythm, this of course is export; however, if he just fixes some bugs (like fixing a typo or changing the name of a function), I think this would not be considered export, since the only things you exported were the cursor movement and character deletion keystrokes and the actual text you typed (like the new name for the function), and what appears on your screen was just imported but never exported back. This would allow things like the kernel, Mozilla or anything else to be developed with crypto outside the U.S. but by people inside the U.S., and so would stop the last piece of usefulness in those silly U.S. crypto export restrictions." Would something like this work? Are there any other solutions for U.S. citizens developing strong cryptography to share there work with others abroad?
Please please please read the US crypto policy FAQ from the EFF archives.
Since we are the guys who have the definitive collection of crypto source in tree, what we do is literally fly/bus people over the border for a concentrated time of working on crypto stuff.
No problem with any interpretation of "export regulations."
> importr is legal > Export in Electronic form is illegal > Export in non-electronic form is legal > Print the diffs!!! Didn't they once send out the printed source for PGP 5 or something with checksums written by each line to make it easy for a computer with a scanner to read it and check it? Very clever. Aren't there plenty of competent people in Europe to develop this for import into the US afterwards?
Irregardless of "export," it's a felony for an American to provide "technical assistance" to foreigners about crypto.
Companies and organizations like mozilla.org have to keep their noses clean, so they can't even provide minor help like bugfixes to free-world crypto efforts. A single person could probably get away with it, though, especially if you were careful (e.g., anonymous encrypted mail with the bugfix, etc.) (Not that I would ever publicly encourage someone to commit a felony, of course!)
However, most of the major free-world crypto development efforts will not accept help from Americans, because under American law that then "taints" their effort as an American product, confusing the issue further. This is not just a technical worry; the US assumes its laws apply in all countries.
SCREW stupid laws. Just don't get caught. :-)
(No, I'm not doing it, I'm not a crypto guy. So if you're the feds and are chasing me, you're just wasting your time.)
Wow, that was convincing. PLEASE guys, quit programming cryptography! The only people who should have cryptography are the US Government(TM) and Microsoft! If anyone else has it, he might be tempted to become a terrorist or a child abuser!
I am a US citizen and wanted to do exactly the same thing. According to Julie Lever an Analyst at the DOC in the crypto export division, you need a license to do this (I'm in the process of obtaining one). I have servers in Panama I access via SSH. Even building SSH on them (d/l directly from Finland) is grey area. What she says is that _I_ doing the work constitute exporting encryption technology because I am a US citizen. I cannot even do the work if I live in Panama as long as I'm a US citizen.
Seriosly, what you are suggesting is tantamount to hand delivering technology from the US to another nation.
Not everyone who lives in US is an US citizen, and a lot of programmers are not (me, for example), so formally the "technology" or "expertize" doesn't belong to US in the first place.
Contrary to the popular belief, there indeed is no God.
Check DejaNews, the appropriate portion of the regulation is posted to sci.crypt and crossposted later (by me) to talk.politics.crypt. U.S. citizens are prohibited from exporting crytography, and are prohibited from providing technical assistance, and if overseas are prohibited from working on products that would require an export permit within the U.S.
Regarding sovereignty the United States Government holds that if you are a U.S. citizen, you must obey U.S. law no matter where in the world you are. The USG has been known to kidnap U.S. citizens in foreign countries in order to bring them to trial here in the U.S. if they peeved the USG enough. Heck, they don't even have to be U.S. citizens -- anybody remember Manuel Noriega, who was (quite illegally) kidnapped and brought to trial in Miami for crimes that did not violate Panama law and that were committed within the borders of Panama?
-E
Send mail here if you want to reach me.
You're breaking the law even to contribute technical assistance. However, the USG has a "gentleman's agreement" not to prosecute where it feels that they'd lose on First Amendment grounds. But where is the border line? Do YOU want to be the test case who spends the next five years in jail waiting for trial?
-E
Send mail here if you want to reach me.
The regulation says that if you're an American citizen overseas and working on a product that would require export permission here in the 'States, you're breaking the law. For that matter, an American citizen re-keying the code into a system upon arrival overseas would be breaking the law (since he would be providing technical assistance).
For that matter, even printed on paper it's technically against the regulation, except that the regulation allows "academic discourse" and if you print a few academic notes to go with the code it slips through that loophole in the regulation. But don't think you can add a few academic notes and post the source to the USENET, the requirement is that it be printed on paper in order to qualify as "academic discourse", though the Bernstein case is trying to qualify source code in electronic form distributed as part of a book as "academic discourse" too (and he has a good case, but the USG will drag this out forever).
Anyhow, it's all a blatant violation of the First Amendment, but the U.S. government doesn't believe in the Constitution anyhow (see the RICO statutes, which violate the 5th Amendment, for another example), so it doesn't matter.
-E
Send mail here if you want to reach me.
Flee the USA if you wish, but expect that if you peeve the USG enough, they'll go out and kidnap you in order to bring you back to trial. Heck, Noreiga was president of his whole damned country and you saw how well he fared when the USG decided to kidnap him in order to bring him to trial in Miami (for acts legal in Panama, that occured within the borders of Panama). What makes you think that a little pipsqueak like you or me stands a chance if they get peeved?
-E
Send mail here if you want to reach me.
The problem is that most strong authentication mechanisms depend upon public key encryption, which IS export controlled. So, for example, let's say you want to only run binaries which are signed by Red Hat Software or by your Corporate Information Center. They would "sign" the binary by encrypting the MD5 of the binary using their private key, then before you run the binary you check the binary to make sure its MD5 matches the MD5 decrypted using their public key. Thus you can insure that you got a trusted binary and not some barfled one.
The problem is that even though this would recieve an export license if you applied for one (because it is an authentication scheme, not an encryption scheme), you cannot include source code, because the source code would be capable of being "misappropriated for non-authorized uses". The GPL means that thus this capability won't go into the kernel.
In other words, the US Government is propping up Microsoft here, since Microsoft can include this capability in their OS. (If they gave a damn, which they apparently don't). But that figures, the US Government is also giving Microsoft huge export subsidies too, at the same time that they're suing Microsoft for monopolistic acts. Quite a government we have, eh?
-E
Send mail here if you want to reach me.
This is the Bernstein case, and was about posting the source code that went with an academic paper. See the EFF home page (http://www.eff.org ) for more info.
As far as I know it's still tied up in court. I'll just note that the regulations allow academic discourse but unless it takes place on paper and ink the USG doesn't believe it's academic discourse. Bernstein is trying to pry a hole in the rule to say that academic discourse can take place over the Internet too. That still won't help Red Hat export a product that incorporates encryption. (SuSE, on the other hand, has no such problem, since they are not an American company -- in other words, the USG is putting American companies at a disadvantage).
-E
Send mail here if you want to reach me.
Not exactly. Source code AS ACADEMIC DISCOURSE is free speech -- in one particular circuit court, and the decision is being appealed. Source code outside of academic discourse is another story altogether. See http://www.eff.org for more info on the Bernstein case.
-E
Send mail here if you want to reach me.
http://www.access.gpo.gov/nara/cfr/index.html
-E
Send mail here if you want to reach me.
Other countries do have their own crypto. That's the problem. American companies are at a disadvantage because they cannot put strong crypto into their products, while foreign companies can.
The most beloved product by all Unix system administrators is 'ssh', which does encrypted rsh/telnet connections instead of sending passwords in plain text. It was done in (guess what!) Europe, and in fact is illegal to use in the United States unless you buy it from a licensed vendor (because it incorporates the RSA algorithm, which is patented, though only in the United States).
Of the candidates for the AES data encryption standard, a 128-and-256-bit-key encryption standard which will be required to be used by all government agencies and contractors as the replacement for 56-bit DES, three of the five finalists were coded entirely outside of the United States. We may soon be using foreign encryption code to run the U.S. Government!
--E
Send mail here if you want to reach me.
I don't personally care. If the Federal Government wants to prosecute me because I've been fuddling around on sci.crypt and posted some thoughts about Diffie-Hellman in a place where foreigners could see, it, screw them.
:-(.
But dozens of people rely on my employer for their living, and he's not going to jeopardize his company by saying "screw you!" to the government. So he's not going to export a product containing strong encryption in violation of the regulations, because they could fine him millions of dollars and throw the whole executive staff in jail, in which case the company is kaput and everybody who's not in jail is out of a job. So he cannot compete with European companies who CAN sell products with strong encryption.
So the final status is that we will have two products: A US/Canada product with strong encryption, and an overseas product which does not have encryption (because the export regulations also require that we track where each copy is sold to make sure it's not re-exported to a company on the "forbidden" list -- hell, we ship these things en-masse to distributors, how'n'hell do we know where they've been sold to?!). So we will be at a disadvantage compared to European competitors. Pisses me off, personally, I think I have great code in one utility that I'd love to release as Open Source, but nobody will ever be able to see it because of those @#$% export restrictions
-- Eric (EST's crypto expert "because somebody had to do it").
Send mail here if you want to reach me.
The fiction is that publishing papers is "academic discourse" and thus is protected by the First Amendment, while source code in electronic form is a "mechanism" and thus covered by the commerce clause. Actually, even publishing papers internationally would technically be against the law that prohibits "technical assistance" to foreign nationals, if I'm reading the draconian CFR correctly, except that the Justice Department has issued a directive that they won't prosecute cases that clearly are First Amendment cases.
See the EFF site for the Bernstein case, which is trying to get source code classified as academic discourse too.
-E
Send mail here if you want to reach me.
Academic discourse is protected under the First Amendement, according to the DOJ, and thus will not be prosecuted under the regulations even if foreign nationals can see it. Bernstein is trying to get source code classified as academic discourse (see the EFF home page).
Atomic bombs are export-controlled, but as a U.S. citizen you cannot go to Pakistan and help them with their atomic bomb project. The notion is that this is like yelling "Fire!" in a crowded theatre -- i.e., that the purpose of the speech counts, you can yell Fire! all you want to in the privacy of your own home or in a cow pasture, but not where it can harm others.
The RSA incident may be from "The Codebreakers", I don't remember it in Schneier (though I have not memorized Schneir -- yet -- so it may be in there).
-E
Send mail here if you want to reach me.
Keypunching or scanning the code in off of a printed research paper (note that a printed "book" with a few lines describing the algorithm and the rest being the algorithm qualifies as a "research paper" as far as the US DOJ is concerned) is okay, and the USA cannot put you in jail for doing so since you are not a US citizen. You can in fact put your code up for grabs on the Internet. See http://www.replay.com for an example.
On the other hand, while you will not be prosecuted for using false pretenses to gain access to U.S. code and then putting U.S. code on international servers, the authors of that code may very well be prosecuted. Phil Zimmerman (PGP) spent years with the hounds of the US Government on his tail. In addition, many countries do have recipricol agreements with the US that they will not re-export US code in exchange for various special favors. Canada is an example, that is why only a version of Kerberos 4 re-coded from the "bones" by foreign nationals is part of OpenBSD, even though Kerberos 5 is available from the worldwide crypto archives (via the same print-out-then-scan-back-in mechanism). The difference is that Kerberos 5 was not re-coded from the "bones" and thus qualifies as U.S. code as far as Canada is concerned.
-E
Send mail here if you want to reach me.
Err, block ciphers of 128 bits or greater are safe for the time being. The output of known good block ciphers, such as the five AES candidates, is statistically indistinguishable from random noise. The only real attack that can be made is differential attacks, and that appears to be a problem only for DES, which is why the NIST is retiring DES in favor of a new American government encryption standard (the AES candidates). If you use Bruce Schneir's "TwoFish", a derivative of "Blowfish" and the best known of the AES candidates, you can pretty much be assured that you're safe -- all of the five AES candidates have been extensively cryptanalysed (especially by their competitors, all of whom are looking for a weakness in the others' algorithms!).
RSA public key encryption, on the other hand, could be succeptible to new solutions to the underlying "factoring problem". (Public key encryption uses the product of two large strong primes and relies on the difficulty of factoring very large numbers to provide its strength). There are varieties of public key encryption which use exponential equations distributed over a field (ElGamal) or elliptic curves (see http://www.certicom.com/ for info there) as the underlying "hard problem" rather than the factoring problem, but they have not been as widely cryptanalysed. Actually, elliptic curve cryptography is just now getting to the point where I think it's been analysed enough to be safe, but any public key encryption algorithm implicitly has a relationship between the public and private keys, so public key encryption is always succeptible to new revelations in mathematics, and the NSA has some of the best.
Which won't help them crack a message encoded with 256-bit TwoFish! But I would say that 512-bit RSA is toast, and 1024 bit probably would take the NSA spooks only a few days at most on their big specialized RSA cracker machines. (But note that someone "inside" has stated that the NSA doesn't even need to crack RSA for the most part, because people's computer security is so bad that usually they can walk right in and intercept the cleartext BEFORE they're encrypted).
_E
Send mail here if you want to reach me.
According to the regulation as recently posted to sci.crypt, even helping someone outside of the country with their crytographic product is illegal. And you can't even move to Mexico (which has no encryption restrictions) and get away from the long arm of American law -- the regulation says that if you're outside of the U.S. and either develop or help someone make a product that would be export-controlled within the U.S., you can be prosecuted. Before you say "so what, I'm in Mexico!", the U.S. government has been known to *KIDNAP* American citizens overseas in order to prosecute them here... hell, they don't even have to be American citizens, they kidnapped Manuel Noriega and prosecuted him here too, quite illegally I might add, the man was a scumbag but that doesn't excuse it.
-E
Send mail here if you want to reach me.
The difference is that while both Encryption and Nuclear Technology can be used productively (privacy, energy), only Nuclear Power can actually be used as a weapon. Encyrption's categorization as munition is completely bogus, it is only considered that to prevent it from being exported, because government likes the ability to find out what people are saying. In the end it just hurts business, because privacy is a NEED in international markets. You send contract negotiations in plain text, your competitor is going to win.
What about the book publication of PGP? They printed out VOLUMES of PGP code, sent it oversees, and started scanning it in like mad. Hence, international PGP.
I guess you're referring to the "crypto-specific API" case, where your application invokes encryption functions through some sort of "crypto-specific" interface, and thus may be considered export-controlled even though it contains no crypto code. The restrictions on this are really enforced on a case by case basis, as the regulations don't really cover every question about what is a crypto-specific interface and what is not. However for my best guesses on the matter see question 5 of the Mozilla Crypto FAQ. I include references to the relevant sections of the Export Administration Regulations, but unfortunately the links in the FAQ are no longer working; check the GPO's online version of the EAR.
What you need is legal advice from a seasoned criminal lawyer who is also well grounded in D.C. politics. And even then, you won't know for sure until the first cases reaches the Supreme Court.
This is playing with fire. Even if it's legal, expect to spend years and millions in court.
I always thought that law was somewhat like a mathematical proof, where legislators attempted to capture their intention elegantly, and without holes.
It seems that reductio ad absurdum doesn't really apply in this case, though.
Matthew.
Nick
-- "It's a sad day for American capitalism when a man can't fly a midget on a kite over Central Park" - Jim Moran
You are not allowed to export encryption technologies, even if they are developed outside the US. In fact the statute is broad enough to proscribe you from doing a private security audit of foreign code and sending them the results.
--
"L'IT c'est moi!"
Hit submit button too soon...
You can however link to a site hosted outside the US where non-exportable material is kept. The EFF (I think) fought an one a court battle on this matter.
--
"L'IT c'est moi!"
Well, I can see that someone working on a nuclear weapon would be considered a traitor, but the point here is whether or not a encryption should be considered as important to state security. I mean, someone helping to develop a kids toy, even during a war, for an opponent probably won't be convicted as a traitor.
If you have proper crypto, it's almost impossible to find out that you do work on nuclear weapons or do other things considered treason. Or just trade kiddie porn. Authorities wouldn't be able to find out so they are afraid of strong crypto that's routinely employed by most people.
Of course, there's a pitfall here, since the smart criminals already have that crypto and use it regularly. The only people who don't have it yet are ordinary people. The terrorist threat won't change because of crypto, but if everybody uses it, authorities will lose their tight control. They don't like that, so they fight it, but ultimately they can't win. They would ruin their economy and people that way.
The next powers that be might well be corporations - but I digress...
-- Eavy (: Linux Is Not UniX
But IIRC, there is no provision in US code concerning export that prohibits me from leaving US territory and working as a consultant, even if the project I work on is crypto software that I could not export of I'd worked on it locally. Obviously there are other legal beartraps one could step on (working as a consultant developing nuclear missle targeting systems for China would probably result in an NSA-funded body cavity search as foreplay). However, outside of such obviously foolish and provocative activities (i.e. anything that could justify a treason charge), I don't believe there's any restriction on the export of cryptographic expertise contained in one's brain. If a US citizen travels to Brazil and works for a company producing a 1024-bit pgp-based email client, there's no US law broken. But there are two issues here: the items being transferred, and the transferring itself. I think there's a way to be safe from both perspectives.
If it is clear that the codebase resides outside of the US, and the US citizen contributes, then in principle the expertise is the only export from the country. Remember, it's not illegal for a US citizen to print out the code to a crypto program, take the resulting ream of paper on an airplane to Australia, and rekey it into a system upon arrival. Only exporting code in compilable or executable format is a violation of silly US law. By the same token (big disclaimer -- IANAL) a US citizen should be able to contribute to a foreign-based project legally by making sure the only tangible thing transferred internationally is knowhow. I.e. using ssh, the non-US-exportable item being developed never originates in the US.
Just to be sure that you've covered the transfer aspect as well, the work relationship also needs to be structured such that there never is an "export" event. One needs to make sure that the contribution takes the form of legal telecommuting to another country to perform work legally in that country. Even if you receive no other compensation than inclusion of one's name in a list of contributors.
IANAL. IANA export specialist. IAN even sure I know who I am.
I think not...(*poof*)
Sources, please. Is it illegal for a US citizen to develop and freely distribute a Tcl/TK front-end to a non-US-developed command-line crypto package? I don't think so. If you know otherwise, please refer to the legal source. As other posters have noted, there is a distinction between working on something that would export-restricted from the US (chip design, hemp farming, certain software development, etc, which are not illegal), and working on something where the activity constitutes treason, which most certainly is illegal.
I think not...(*poof*)
I seem to recall that one of those cypherpunks who runs some kind of crypto company in Anguilla or somewhere renounced his US citizenship a few years ago to be able to legally work on exportable crypto.
Even if you don't have a high enough Noriega factor to justify kidnapping, if you're a US citizen and export crypto from the US or work on crypto overseas, you'd best be wary about catching any flights that stop over in US territory.
You could move to Fernando Poo or Stateless. Or one of those heavily-armed floating anarcho-objectivist colonies on the high seas. (Heavily armed to fend off pirates and because foreign governments would be only too pleased if they met with misfortune.)
Microsoft's Crypto API allows modules of any strength -- as long as they're signed by Microsoft. The compliance part involves MS not signing any strong modules destined for export.
I think HP or someone made a crypto chip that uses a similar mechanism, requiring an authentication code from a central authority to enable features. Thus it can do full-strength crypto in the US, 40-bit cereal-box-decoder-ring crypto outside of the US, and nothing at all in France.
All laws are subject to interpretation. I say its time to get the lawyers involved and perhaps do some digging to see what kind of corruption we really have in the US government behind the "dangers" of encryption.
When I say all laws are subject to interpretation by the courts, let me relate my experience with a personal bad habit a several years back. You see, I liked to drive fast. A lot. From speeding tickets to OJ getting away with murder, I'm sure the principle behind encryption is much more honorable and should be pursued.
My experience with taking things to court suggest anything can be pursued given enough energy for much less than you think. I accumulated *five* speeding tickets in Kansas City. My lawyer told me the law only allowed one instance of getting a ticket reduced to, say, a "parking violation." I got two tickets that week, a 90 in a 55 and a 69 in a 55. I may have interested him with my comment I would like to fight these (perhaps unwisely) to the supreme court. He was intrigued and to make a long story short and a few courtroom visits later, I had no points on my license due to him getting the worst violations dismissed for technical wording. I added up the legal costs out of my pocket was $1055. After that I got rid of my radar detector and haven't gotten a ticket since.
Anyhow, I'm sure this encryption debate is not a boring issue with some powerful, yet isolated government officials. Its time to turn up the heat and see how they react. It has nothing to do with terrorism or child molestors, but may have much to do with government officials stealing secrets from industry and their sideline consulting businesses. I think denying citizens the right to privacy is treason and I'm sure there is real evidence of corruption involved.
I think this could work...
As mentioned, the screen seen while editing is obviously "import", and code never does get exported, as it is abroad all-the-time.
The article's title is a bit misleading, SSH is only a detail in the method, ssl-telnet or any other encryption program could be used.
Your solution for the crypto stuff is the equivalent of uploading a patch. This is, from my understanding, legal, as there are patches to SSH to let it run under Win32, which can be exported, though the binaries themselves that result from applying the patch cannot be exported. Instead they must be compiled and distributed completely outside the US.
I'm not a lawyer, and I don't claim to be (so you might want to double-check with an expert!), but that's my take, fwiw.
The other cool think I learned is that BSE isn't a virus, it's a funky self-replicating protien. Yes, self replication without DNA. Totally unlike any other communicable disease...
Here's the link. It's worth your time
Click me
moo.
- Digger
Unless, that is, you want to star in a test case.
My guess is no. The US crypto export rules go beyond the simple: "you can't export real crypto." For example if an American wishes to move to Canada to work on cryptography they have to: renounce American citizenship, and WAIT 10 YEARS. This is probably true for Americans moving to other countries as well. This assumes that the American will want to some day return to the US. There is not much the US law can do to you, if the country you are in won't extradite you (Canada will extradite).
> it takes more time than SSH but you get to have
:-)
> some real food instead of american genetically
> engineered hormone
> grown hamburgers..
And catch Captain Tripps or other funny one-time-diseases while eating british beaf?
Uhm, no thanx
"Life is short and in most cases it ends with death." Sir Sinclair
wouldn't that be import when he/she loads up the file and has it sent to the screen? And aren't there policies about that too?
I think denying citizens the right to privacy is treason and I'm sure there is real evidence of corruption involved.
I was so moved that I had to post this short message and say that I agree 100%.
Wow. I was just thinking this myself before I read your reply. It is sad when we as a supposedly "free" country don't even have the right to privacy or the simple right to exchange algorithms or ideas with people in other countries. Write your congressperson! These laws need to be stricken from our books. The Constitution was intended to preserve our freedom of speech, not to take it away!
After all, I believe there were issues with software which invoked PGP (such as mailer plug-ins), which only used the interface. I believe patches are a similar situation. Of course, take this as a grain of salt as IANAL.
Find the original ITAR regulations somewhere on Thomas. Recently, the controls were transferred to Commerce by the Export Arms Regulations. String Cryptographic software has been placed on this list of unexportable munitions by the President. In a nutshell, anyone can write any cryptographic software they want. However, if the strength of said software exceeds 56 bits, I believe, it cannot be exported from the US without an export license from the Commerce Department. US citizens may not acquire said software, take it to Canada, and re-export it from there, however, I'm not so sure Canadian citizens are banned from doing any such thing.
As for where the list of munitions is, I'm not sure.
Why can PGPI.com export the code? At the moment, any printed material is considered to be speech, and may be exported under the First Amendment to the US Constitution. The current manufacturers of PGP simply printed the source code in an easy-to-OCR format, PGPi bought copies of it, and distributed them to Europeans who proceeded to scan and proofread them.
Doh. Should've checked my copy.
Well, then, we must do what we must - fight the powers that be.
"a"
The preceding letter is an excerpt of a piece of a very strong encryption algorhythm, posted to Slashdot where my fine European and Asian compatriots may get ahold of it.
Although I don't support the use of the letter 'a' (there, I did it again) in harming the United States of America, I must support strong crypto.
If the government comes after me for this, I will be forced to purchase a dozen PowerMac G4s and flee the country.
- Darchmare
- Axis Mutatis, http://www.axismutatis.net
- Jeff
Maybe, but if I'm lucky they'll let me keep my G4s.
- Darchmare
- Axis Mutatis, http://www.axismutatis.net
- Jeff
shipping a nuclear bomb overseas, one tiny little piece at a time? I don't think the feds would let that one slip through the cracks. :-)
Certainly not, if they ever found out, which is the point of this whole discussion in the first place.
Berlin-- http://www.berlin-consortium.org
DNA just wants to be free...
It would be vary slow but may me in the law because nothing is leaving.
Nope, the data is still being sent -- it's just encoded in the ACK sequences then. In fact, modulating ACKs is one popular way to quietly get data out of non-airwalled "secure" networks, hence we use fun devices like NLS pumps to prevent that.
[ n.b. if you actually care about something, don't ever put it on a machine even remotely near an open network, firewalls, NLS pumps or no. Airwalls are the only way. (and even then they're not totally secure due to human factors) ]
Berlin-- http://www.berlin-consortium.org
DNA just wants to be free...
At the end of each line, you could put a checksum digit. Then, if the OCR fails on that line, it can be flagged for checking by the human operator.
This was done for the PGP book and others.
Berlin-- http://www.berlin-consortium.org
DNA just wants to be free...
While their claim is farfetched, they have been open for over a hundred years.
Then again, there is a pizza ("apizza") place -- Pepe's Pizza -- in New Haven which claims to have invented the pizza pie. I have it on great authority from another pizza place that it was invented in Brooklyn, perhaps at John's Pizzeria. And of course any Italian you meet will have their own deluded notion that pizza refers to the dough used, and it was invented in Italy. Oh well.
The moral of the story is: when in New Haven, eat your burgers at Louis Lunch and your pizza (white clam is the best!) at Pepe's.
Beware of anyone who claims to have invented anything culinary.
Russell Ahrens
Working on strong cryptography is not covered by export laws. It is covered by munitions laws. In the same way that an American citizen cannot work on a nuclear bomb project for Iraq, an American cannot work on cryptography for a foreign company or for a foreign open-source movement.
Basically, American citizens are not allowed to directly transfer intellectual property, whether it be code or simply ideas, concerning strong crypto to foreigners. Of course, Americans can simply write a book with these ideas and/or code. The First Amendment to the US Constitution is still stronger than the munitions laws. This is, in fact, exactly what Phil Zimmerman (he is the guy that wrote PGP, right? my memory is getting weaker these days...) did... he published the source code to PGP in the form of a book.
--Be human.
If I get this correctly, telneting into an offshore box and contributing "data" would be the equivelent of doing gambling over the net.
In both cases you would be contributing something that is illegal in your own country to another country. Data for crypto and money for gambling.
Someone had mentioned that if you were helping a country with crypto and they were using it for nuclear weapon technology, you would be counted as a traitor if there was a war. What if the offshore illegal site you were gambling on was using it's profits to buy nuclear weapons. In both cases you would be contributing to your country's enemy.
Darlock (from Canada)
---------------------------------------
A child is walking along the beach at low tide.
The beach is covered with thousands of star fish stuck up on the sand as the tide moved out.
The child walks along, picking up one star fish at a time and tossing it out into the ocean.
An old man comes along and says. "What are you doing, you can't possibly save them all.
You are wasting your time. What you are doing doesn't matter".
The child with joy in his face picks up another star fish, throws it into the ocean and says, "It matters to that one."
If you go and find the stupid crypto export regulations, you'll also discover that they technically make it illegal for a US citizen with crypto expertise to travel outside of the US and sell (or give away) their crypto expertise there.
The loophole you think you've found just isn't there.
US Law forbids its citizens from exporting crypto expertise (or crypto work) as well as actual crypto binaries. If you're currently a US citizen and you want to export some crypto expertise, I think the only way you can do it is by leaving the US, becoming a citizen of another country and renouncing your US citizenship. Otherwise you'd be breaking US law and extradition might be possible.
That is a bad attitude to have. If everyone decides to only follow the laws, that they agree make sense, you will have anarchy.
If you don't approve of the rules, work to change them. Don't just pick and choose which ones to obey.
"Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
About a month ago, Forbes had an article about Protegrity, a Swedish company that does crypto related work.
One of the paragraphs in the article:
"Unlike Protegrity, American encryption companies have to engage in some fancy footwork to stay legal. "It's like defusing mines--one wrong turn and the mine could explode," says Stewart Baker, a partner in the law firm Steptoe & Johnson in Washington, D.C. For instance, if only two of a firm's engineers, one in the U.S. and one abroad, were to exchange insights about an encryption algorithm, the U.S. government could shut the company down, fine it $1 million and jail its employees."
Seems pretty cut and dried. If just talking about it theoretically is enough to get a company in deep, I think that coding, even over a terminal connection, would be just as bad.
"Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
What I said, is that you should move to change them. Rosa Parks did that. In her case, making a statement, by standing up to them, was how she worked to change them.
You guys are willing to make a stand just like hers. Only you're too chickenshit to even identify yourselves by name on a forum like Slashdot. I assume you'd never consider putting yourself in harms way, the way Rosa Parks did.
I don't have a problem with actively opposing laws, but don't hide in the shadows, and try and sneak around the laws. If you're think they need to be changed, stand up. Oppose the laws openly. And then fight for your right to do what you feel needs to be done.
"Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
A single person, can provide the genesis of a movement.
If you expect things to change, at some point, someone is gonna have to make a move to get things changed. It's very rare, for laws to spontaneously disappear.
"Politicians are interested in people. Not that this is always a virtue. Fleas are interested in dogs." P.J. O'Rourke
Just move to Canade, you can still pass crypto across the border to the US with next to no restrictions and still export it. Plus free helthcare will be able to deal with your stress of paying taxes.
You don't exist. Go away. --SysVinit Halt
So you're actually having a problem with a big political power acting self-righteously just so they can feel important?
;-)
And you're a US citizen?
Can't be, right?
>To exercise exclusive Legislation in all Cases
>whatsoever, over such District (not exceeding
>ten Miles square)
(Italics mine)
What you missed is that the congress also exercises joint jurisdiction over the rest of the United States (granted in the "necessary and proper" clause of the Constitution).
Please look up "Dual Soveriegnty" in your law dictionary.
IMHO, IANAL, and all other disclaimers apply.
0 1 - just my two bits
But then again, I could very well be wrong and there is nothing wrong with communicating with foreign groups to help with the development of crypto and/or nuclear technology. I mean.. it's a free world, right?
Free world or not; developing nuclear technology should be wrong if it's for your own nation or a foreign one.
"Articles like this make me want to yell, 'we're not all freakin american!!'"
Which is why the poster said a "a developer in the U.S." This doesn't apply to you.
If you don't like the article, don't post a comment to it.
This sig is false.
It's sort of ironic you chose nuclear secrets for this sort of discussion, because this ties into national news as well. (National news? The big blue room? Aieee!)
There was an incident at Los Alamos labs where a person had access to nuclear secrets in an encrypted channel, and then copied them to an unencrypted channel and send them to China. When you look at it, it's what you're talking about - "secrets" that should not be exported from the US (crypto or nuke) being sent to another country for development of a "program" there. That's what this boils down to. And in the case of nukes, people have resigned and others may be indicted and convicted of espionage.
On the other hand, I can't help but wonder if anyone working on SSH or the like is in the United States, and if that violates any laws...
Thank you. I was wondering how long it would take someone to realize that when you type in your changes, you are EXPORTING that code. You type here, and your code TRAVELS down the wire to Iraq. Surely the govenment needs to know about subversive activities, and I for one am glad that there are humble, concerned people like the FBI, CIA, and J. Edgar Hoover wathcing over my e-mails to my friends and family. I am sure they wouldn't ruin your professional reputation to protect their privelige. I am sure that they wouldn't trump up espionage charges, and lock you up for the rest of your life. Have a nice day!
Who throws his shoe anyway...I mean realy.
Didn't someone decide that source code is free speech and therefore protected...? So wouldn't this be a non question?
xm@GeekMafia.dynip.com [http://GeekMafia.dynip.com/]
Why would Linus have to look at it? He deals with kernel additions mostly, right?
There's no restriction on importing strong crypto INTO the US, is there? If not, why doesn't the Linux community just agree to restrict all strong crypto development to people who aren't going to get in trouble for it and have US-based developers focus on other projects? We all get to benefit from the proceeds, so what's the difference?
Right. And when you return from your hard day's work at the foreign embassy and return home, you will most likely find several darkly clothed individuals who represent the US government wanting to have a pleasant "chat" with you.
Seriosly, what you are suggesting is tantamount to hand delivering technology from the US to another nation. Whether it is by travelling several hundred miles or just across the street, you are basically giving technology to another foreign power. Embassy's only provide protection if that country decides to accept you. But since you will be willingly leaving the building everyday, that just means there will be people waiting for your return to dole out your punishment, if you have violated the law(s) through your activities.
One thing I don't get is why no one here admits Crypto is munition when everyone here admits that it should be used as such. Is it just denial?
- Wing
- Reap the fires of the soul.
- Harvest the passion of life.
- Wing
- Reap the fires of the soul.
- Harvest the passion of life.
One of the main reasons there is such a stint over crypto is that it is considered a munition. So exporting it is tantamount to exporting live rounds, according to the law.
Here's something interesting: Quite a few posters here would suggest that such an association of crypto with munitions is silly. That crypto isn't like live rounds or armour. But if that is the case, then why is it that crypto is referred to as a technology to "protect" us from the government's eyes and ears? Why the mention of ssh for "protected" and "secured" channels of communication. Obviously cryptography is being used as a tool, one which proves to be as effective as a gun, flak jacket, armoured tank, or missle silo.
With cryptography, you can potentially run an underground operation without being detected. Your paper trail would take decades to decode or decipher, during which time, the statuet of limitations would expire. With cryptography, the order to assasignate would never be heard by anyone other than the person the message was intended. It is the cloak which pairs with the dagger. The stealth camouflage.
Yet there are still some people who argue that the idea of crypto being a munition is silly. Fine. Whatever.
The law is there not because the government thinks US citizens are the brightest folk on the planet. It is to offer a means to punish those who would think to leak the secrets, weapons, technology, secret keys, etc to other nations either out of sheer ignorance or for personal gain.
Powerful encryption is just as important as the latest technological advancement in military technology. It is useful if you have an understanding of how to use it which is on par or better than others who are using it. It is EXTREMELY beneficial if you are the only nation which holds control over it.
The laws cover US citizens no matter where they go. Or at least tries to. Some peope praise it for saving their asses when they get into trouble in other countries. Those same people scream their head off when those same laws follow them when they want to do something illegal outside of the jurisdiction of the states.
If you ran a company and needed to keep clientele secrets for a living. What would happen if your employees had a habit of going home with a headful of those secrets and tells them to a friend when off duty and off company grounds? Just because they aren't working, does that mean the rules and regulations won't apply until they check in again? Does THAT make sense? No. The rules would apply even after work hours and off company grounds. It is the nature of the situation which creates the necessities for these laws. Due to one viewpoint or another.
The ironic thing, of course, is that these laws were probably created by the very same type of people who are now seeking their removal. And in time, these new people will bring about laws which will become targets of yet another generation with different viewpoints.
Basically, if you don't like it, talk to your representatives. Send letters. Send emails. Change the law. It IS your right. Better that than sneaking around hoping to not get caught because you think the law is evil.
- Wing
- Reap the fires of the soul.
- Harvest the passion of life.
- Wing
- Reap the fires of the soul.
- Harvest the passion of life.
So, what you are saying is that someone, in this case, a US citizen, is participating in the development of cryptography, yes?
And while that isn't a big deal, we add into the stew the note that this person is physically in the states.But the databases and code he is working with are outside of the states.
This has some ramifications. Namely, the person in question is developing cryptography. But not only that, he is helping a foreign organization develop it outside of the states. But he is using his knowledge of cryptography and/or programming combined with what he personally knows to aid the development of crpytography in another nation.
If the problem is somewhat hard to see, let's use another example. Nuclear weaponry and technology.
Let's say our friend is a US citizen and through an encrypted channel, is helping an organization in another nation work on nuclear weaponry. Sure, he doesn't have any documents on this side of the border and sure, all the work he is doing is stored remotely. But what do his actions amount to?
I'm not sure in our current state of "peace", but if it were during a war, this person would be considered a traitor and if caught, would be held for treason.
I'm not saying it is right or it is wrong. But the aiding of foreign nations to develope technology which could in turn be used against the states isn't exactly smiled upon.
But then again, I could very well be wrong and there is nothing wrong with communicating with foreign groups to help with the development of crypto and/or nuclear technology. I mean.. it's a free world, right?
On a side note, a knife painted like a banana is sort of silly, but it is still a knife and by that token, still dangerous and something to be respected. Even if the wielder is nothing more than a clown.
- Wing
- Reap the fires of the soul.
- Harvest the passion of life.
- Wing
- Reap the fires of the soul.
- Harvest the passion of life.
You would be following the letter of the law rather than the spirit. If the US Government did happen to take an interest in you, they'll drag you into court anyway - and they just might win (try explaining your reasoning to a group of twelve random people and see how many of them get it.)
Interesting idea, though...
Ah, but to persecute ... er... prosecute you they have to admit they can break it, thus spurring the rest of us to use an actually-secured system. Much better to let a hacker do something that's going to get done anyway than to lose the ability to eavesdrop on all the naughty emails and whatnot they're really after.
There are some pretty vague and broad laws regarding computers and crime on the books in the US. If I remember my "Hacker Crackdown" (Sterling) correctly, title 18 of the United States Code has sections for this. One states that it is illegal to own or know how to own/operate a device which can be used to gain unauthorized access to a US gov interest computer. So, technically, since the government has computers on the web, it is illegal to own a computer which can connect to the internet. It is also illegal to KNOW how to use the internet.
It doesn't matter if what you're doing on the net is legal or not. The US Government can arrest you simply for knowing how to connect. Similar logic follows for the phone system. Since the government uses the public phone network, then the phone switches are government interest computers, and owning or knowing how to use a telephone is therefore illegal in the US.
I've never seen this enforced, but the law's on the books (section 1029, title 18 USC if I remember correctly). Code crypto all you want. If you are caught talking on a public phone, you can still be arrested.
"Let him go, Ralph. He knows what he's doing." --Otto Mann (simpsons)
rather, Robert O'Callahan wrote TTSSH the extension of TeraTerm Pro, sorry if that was misleading.
Boy. I bet this guy must have been pissed when he realized he could leave the country after all.
I had the "pleasure" of attending a BXA (Bureau of Export Administration) conference on the subject of encryption export, though it has been a year or more ago, and the information presented may be a bit dated. The fun part was that there was a representative of the NSA at the conference.
Basically, the NSA wants to keep the "knowledge and capability to produce strong encryption technologies" out of the hands of other nations. Of course, according to the BXA, that "other nations" thing is actually broken down into several catagories of other nations. Canada, UK, Australia and such are better than Lybia, North Korea and the like. You can do different things with the different categories of countries.
What it boils down to is that, regardless of your physical location, transferring encryption knowledge or capability to another country is a Bad Thing, regardless of how it is done. Working in the US and doing stuff for another country is uncool in their eyes. For those of us with international WANs, we also must be careful what the other nations can see on our domestic networks - if they can get to any encryption software, that constitutes export. FYI - they also cover foreign nationals working in the US, and Joe Blow taking his laptop with PGP installed abroad.
If you want to know what you can and can't do, contact the BXA. They mentioned this several times in their presentation - they are there to help you understand the laws, and they claim to be very happy to help you with your questions (though I have never personally had the experience.) As rapidly as things change, if you're not involved heavily with encryption export, you are likely to not have the correct information. Even the folks at BXA are on their toes, but they know who to contact for the latest dirt (the NSA, I presume...)
Hope this helps some.
Why not make it so that Anonymous Cowards can't post (only reply to other comments) until the first ten or so are in?
http://www.bombcar.com It's where it is at.
Fellowship 9/11
Very very true. Main point being that Americans are constantly eating whereas in France there are simply 3 meals. I'm just pissed about not being able to get good non-pasteurized cheese here in the states! Stupid FDA...
if he just fixes some bugs (like fixing a typo or changing the name of a function), I think this would not be considered export, since the only things you exported were the cursor movement and character deletion keystrokes
In this you'd be safe, imho, only because any anti-crypto prosecutions would be laughed out of court. If you were busted and were forced to use the 'only a few key-strokes' argument, however, you'd be skating on thin ice. After all, all programs could be considered the sum of their key-strokes, and it doesn't matter whether they were written by one person or ten; if you willingly contribute code in a foreign land you're breaking the law.
The company I work for (which shall remain nameless) has a strict policy on this sort of thing; our hot'n'juicy lawyers have made sure that the policy strictly conforms to US and international law. ANY work done by a US national that is implemented in a project outside of the borders of the US is considered export work. This includes bug fixes, and even commenting on work done by foreign nationals outside the US. In fact, even commenting on software produced by foreign nationals WHILE IN THE US is considered exporting those resources. Consequently, our encryption division looks like a typical shaker community; you shake it, and nothing but white guys fall out.
How about this? set up a program on port X,
:)
which when sent data will output the data encrypted with a given key using 56bit encryption.
repeat as many times as you want.
since the program does only 56bit, and something else has to rerun it through the program, would this work? after all the program itself is weak - and you'd have a hard time convincing anyone with a brain (hrm thats the crux of the matter tho.. none of the people making laws have em) that the software making use of this service is necessarily using strong crypto - it doesn't have to do it multiple times. and the data output might not be encrypted - you could have a dummy encrypter that spits out the same data, or maybe just gives it a date/time stamp. that way its just a general use port - not a crypto-specific port. then we can have another port and program that feeds the given data x times through the crypto port and returns the results. this isn't crypto-software, since the port could also be used to say, calculate CRCs or MD5 checksums or the like.
The usual disclaimers apply.. IANAL, etc
You must! Or no more cheese-buying! Funny how they object on the hormones in the beef being 'bad for you' when I'm sure all that cheese is a heartattack on a cracker. At least the French will die of a heartattack brought about by foodstuffs craeted by an ancient technology rather than a new one. If you're not French, oh well sorry. This just sounds like the Euros making noise so they feel important...like how the Russians moved first and without direction during the UN 'occupation' of Kosovo...hee hee
Blar.
Only with mayo?
Hell no! As a belgian I am proud to say that most "fritterie" havea very wide variety of sauces one can put on "french" fries... Including a sauce called "american" which i have never seen in the states....
With regard to crypto software, US export control laws regulate three broad classes of behavior, which US persons (US citizens or green card holders) may not engage in -
1. the export of code which performs crypto for hiding information (crypto for authentication is treated differently), or code which has been specially designed or modified to work with crypto code
2. the transfer of technical data (plans, blueprints, documentation, test specs or results, etc) to a foreign person who will use them to create crypto code
3. providing technical assistance to a foreign person who will use them to create crypto code.
The regs do not restrict the publication and distribution of books on paper (like Applied Cryptography or the PGP source books) but they do restrict publication and distribution in electronic format (like web pages, or Applied Cryptography example programs on disk, or the PGP executables).*
Note that it's not important where the US person is located, nor how they communicate with the foreign person (other than the published printed material exception).
That's what the law prohibits.
It's important to not confuse techniques or strategies which make the likelihood of capture and conviction less likely (like using SSH to hide evidence of an illegal export) with techniques or strategies which comply with the letter of the law while frustrating its intent - e.g., doing work in the US and publishing it on paper, or developing crypto outside the US with non-US persons (Canada and Anguilla are two popular locations) to avoid the US' regulatory reach.
I'm an attorney who has worked on crypto export control issues, but the above isn't nearly complete enough to be legal advice, it's just a very short summary of current law and interpretation. If people need more information, email me and I can give you names of people who do this for a living. (not me, any more.)
* I went to a seminar on crypto export control put on by the BXA, the agency which enforces the regs, and another attorney asked one of the agency personnel to agree that loaning a foreign person a book about crypto did not constitute technical assistance or the provision of technical data, and the BXA person refused to provide an answer one way or the other. I think the First Amendment should protect that behavior, but the USDOJ and BXA have been fighting against the First Amendment in the Bernstein case for 4+ years now, so that may not be worth much.
There's a somewhat out-of-date version available online for free at ; they charge $20/month for access to their electronic searchable full-text version.
The non-military crypto export control regs are at 15 CFR 740 (and subesequent subparts) if you're near a library which subscribes to the US' Code of Federal Regulations.
Well we are just as good att putti'n hormones and stuff in our meat here in europe.
And genetic engeneering? Look at 'em Belgium Blue cows!
Call me stupid, but I thought mad-cow virus lived in brain tissue. Is there a waiting time or something? cause I can't imagine mad cow staying in your blood stream past a certain amount of time. (though you'd probably be dead by then I guess but thats not the point)
As somebody who has developed Crypto software outside the USA, I can say that in my opinion if you tried that game, you'd get to have a very close association with Bubba, who'd want to make you his own personal friend.
There is a key part in the US laws regarding "giving aid to foreign nationals" which doesn't necessarily mean that it's actually doing the work, but merely assisting in that work being performed.
Remember, these fall under the jurisdiction of munitions, and if I tell you how to make a nuke, even if I'm not physically present, then helping them make the nuke is (according to the laws) bad.
I was involved in the development of one of the JCE's that are now available outside the USA, to do this, we had to reverse engineer how the code must work, by looking at the interfaces provided by Sun. There's not even any crypto algorithm code in the JCE.
There's a document on Sun's web site relating to the implementation of a cryptographic provider (which is where all the crypto algorithms actually exist) and how it interacts with the JCE. If you are outside the USA, you aren't allowed to download this document because it will assist you in developing cryptography (read munitions).
In summary. I wouldn't do this if you value
being able to walk around outside wherever you want, whenever you want.
I'm a dual-national (UK/USA), but I haven't been over there since about 1985. I wasn't even born there.
Does anyone know what restrictions/advantages I have as opposed to a normal everyday UK citizen, w.r.t this sovereignty issue?
You guys are really ill in your brain ...
What does it matter if its the 20th post ???
As noted previously on Slashdot. /house is.
/home is where
Ex Libris Veritas
I belive that the laws apply to anything made *by* an American, in America. I mean, the question of the location of a box is practically retarded. what difference does it make where the actual box your telneting to exists?
You might be on better legal standing if you physically moved the computer, but I seriously doubt that any judge (at least one who didn't question the constitutional merits of the 'law'...) would laugh you out of court if you tried to say that because you were telneting to another country, you were not exporting anything. you still did you *thinking* here
You are still allowed to work on crypto, even download foreign source and play with it. you just can export the results(so if it was GPL, you probably couldn't distribute the results. not with the BSD license though, I think)
I would talk to a lawyer if before trying to physically transport yourself for coding. But it's not really that important for Americans to be able to do this, (for the word, I mean. I realize it is important to Americans themselves). There are many intelligent people in the world working on these problems, they might want our help, but they don't need it.
"Subtle mind control? Why do all these HTML buttons say 'Submit' ?"
ReadThe ReflectionEngine, a cyberpunk style n
Alternatively, what if people were to publish, on the web on US servers, parts of the code to SSH. I could then cut-and-paste (hooray!) and create a whole program. Noone would have exported any useful code and I would not have imported any useful code.
Maybe the latter would be about as useful in court as "I don't understand the problem. These were only the detonators" though.
thoughts/feedback?
well i did not know that..but i guess the SSH/telnet/whatever does not work either..
i am not a lawyer, but using telnet to write crypto programs on an european computer seems to qualify as 'working on crypto outside the US'
laurent
Dev elpizw tipota, dev phoboumai tipota eimai lephteros http://euclidian.org
another way to do it would be to spend some time in europe and fiddle with us bearded european math wizzes.
it takes more time than SSH but you get to have some real food instead of american genetically engineered hormone grown hamburgers..
laurent
Dev elpizw tipota, dev phoboumai tipota eimai lephteros http://euclidian.org
Also, Linus *is* involved since this policy prohibits the introduction of strong encryption routines into the kernel itself. That means we all lose:
- strong filesystem encryption (at the kernel level)
- strong filesystem authentication (e.g., having a file system which checks the checksums of files before allowing 'execute' access)
Actually, strong authentication is fully exportable, so there wouldn't be anything to keep strong execute authentication from being rolled into the kernel.
It's illegal to help foreign individuals with crypto code if you're a US citizen. You can't put in hooks in your programs that is for the purpose of adding in a crypto package even if you don't distribute the crypto code with your package.
You are all splitting technical hairs here. If the person in the US logs on to a server and changes some function names, then they are not developing crytography, they are changing function names, so no problem. If they log on and write significant portions of any type of cryptography routine then restricted knowledge is leaving the US through whatever channel, and yes you are probably going to be in trouble. Remember, Cryptography is categorized a munition, so its export is controlled as such. In past cases, just because someone has leaked nuclear secrets over the phone and not actually shipped out any nuclear material does not nullify the export requirements.
heh. so much misinformation, so little time.
-- Virtual Windows Project
OpenBSD is developed in Canada and incorporates strong encryption right into the kernel. The OpenBSD folks state, and this is essentially hearsay mind you, that encryption technology may be freely exported from Canada provided that the technology itself is free, or for academic purposes. It is in this sense that they claim to be able to allow OpenBSD to be exported to any country.
I'm Canadian, so you can't call me ignorant :-)*
:-)*
What possessed you to post this comment? I'm serious. I don't understand the logic. The US has ignorant crypto regulations hurting important secure projects. This is an idea that might (IANAL, nor am I familiar with the exact wording of the laws) be a loophole around the problem.
To the 'mericun's defense, they didn't post "We're not all freakin Canadian!!" posts on the Canet3 story.
You're doing to Canada what all those flame-happy Linux zealots are doing to Linux. Stop it. Please.
Aren't we Canadians supposed to be polite?
MS seems to always insist that the only reason they are in court is that they bundled Explorer with Windows. As is often pointed out bundling _is_ a good thing (usually by MS supporters). Technically MS may have been in violation simply because of their consent decree. However Netscape _agreed_ that MS should be allowed to bundle Explorer with windows. Note that: - Microsoft refuses to let Windows be bundled with Netscape. Since bundling is good this is bad. By allowing bundling with one browser but not the other clearly does not result in a level playing field. This is unlike e.g. Red Hat, where you can re-arrange the distro any way you feel like. - Other companies (e.g. apple) allow bundled software to be uninstalled. I think this played a part in the DoJ's decision, but it sure up's the agrivation value. - Who cares what apple does anyway? They probably would have been sued by now if anyone could be bothered. Anyway maybe if anybody cared enough about it to sue apple's, then apple may have just decided to give in and give their customers more choice. -
We use GNU/SunOS.
If the answer to the question I'm about to pose is an obvious one, I apologize in advance, please forgive my ignorance on this subject, as I am Canadian. It's obvious from the articles and postings that the US has some stupid rules on who can use cryptography and how they can use it, but a lot of these postings are inconsistant with each other. Some say a US citizen can write cryptographic code, but not inside the US borders. Others say that a US citizen can't write cryptographic code at all. Also, what about foreigners that are currently in the US ? Could a Canadian visiting relatives in the states write crypto code on his laptop while there ? I guess I should just ask if anyone could provide a link to a site where the official law is written so I could read the fine print myself. Thanks in advance.
"There's nary an animal alive who can outrun a greased Scotsman !"
I don't remember the specifics but wasn't there a Professor somewhere in the US who publish a encryption scheme on his web site complete with source code who got charged with violating the export restirctions. After a fairly long trial he won on 1st amendment/scientific discourse grounds. I think the first person to try this would get charged but would win their case, especially since the code would never have even existed in the US.(in full anyway)
It's irrelevant anyway since the US and Canada have treaties which make Canada "domestic" for US export laws, and which prohibit Canadians from re-exporting software they picked up from the US.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Under the current US interpretation, it's illegal to do a logical no-op like downloading a file and immediately reuploading the identical file.
Editing a file remotely, instead of downloading it, editing locally, then uploading the changed file might not be considered a legally significant difference since the end results are identical - software exists outside of the US and Canada which didn't exist there prior to your acts.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Those comments are completely uninformed. It is completely legal to publish the complete source code to PGP, DES, Kerberos, etc. (either in bound book form, or even source listings), and transport them out of the country.
Not only "can" this be done, O'Reilly has published several books using special fonts designed to reduce OCR records. "Cracking DES" is one well-known example, and AFAIK it has been exported without problems.
The *only* thing that's illegal is to export the exact same material in electronic format. So you can ship a palette full of boxes containing source code, but not a CD-ROM containing the identical material. You can even carry the OCR software out on a disk, since it's not export restricted.
This is why many of us are so frustrated with current US policy. It doesn't stop anyone from exporting cryptographic software, it just makes it such a pain that few people bother. (BTW, when Phil Zimmermann was being investigated for exporting PGP the focus was always on a specific FTP transfer that occured almost immediately after he released his code.)
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
The problem with this reasoning is that you can't re-export cryptographic software, so you can't have US mirrors of these packages. Ditto US-based distributions, for the same reason.
Also, Linus *is* involved since this policy prohibits the introduction of strong encryption routines into the kernel itself. That means we all lose:
- strong filesystem encryption (at the kernel level)
- strong filesystem authentication (e.g., having a file system which checks the checksums of files before allowing 'execute' access)
plus numerous other applications which are currently in userland since the kernel lacks encryption. (SecureRPC, VPN, etc.)
The results of this policy are very much like the driver who slams on the brakes to avoid harming the cute little squirrel running across the street... but causes several injuries to her passengers and the people in the following cars, to say nothing of $50,000 in damage. It's a damn good trade-off, as long as you never take your eyes off the furry little drug-running child pornography terrorists which only you can see.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Nope, Canada is still considered a "domestic" site for the purposes of ITAR. US law allows export to Canada, but *Canadian* law bans reexport.
What you're describing is crypto developed in Canada alone, which is a grey area. I think the treaties ban it also, but last I heard the current Canadian government didn't have it's head as severely dislocated into its digestive track as the US government.
BTW, before someone else marks this "offtopic" or "flamebait" I believe these treaties date back to the creation of NORAD and the associated consolidated US/Canadian military commands. It made sense in that context, but nothing about treating unclassified software as a "military munition" makes any sense.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
... and Finland is in Europe. And he's welcome back anytime.
Is the US the only nation to prohibit export of crypto technology? Here in UK we have a number of tools that are a slightly stronger than 56bit. I hope that the US departments responsible for the export restrictions realise that it is possible to do mathematics outside their borders. Until they successfully ban 'foreigners' from doing maths in their own nations, the export ban will continue to be ineffective.
I'll take my nice sane, bovine-growth-hormone burgers over those mad cow burgers over in Europe... :)
Seriously though, in Canada, you can't donate blood if you've spent a certain amount of time in England for the past while. They're especially paranoid about that here in Quebec.
-- Will quantum computers run imaginary-time operating systems?
I was under the impression that OpenBSD was based in Canada so it could avoid the draconian American encryption laws, which would imply that Canadian encryption export law is different from American.
Although I'm a Canadian, I don't really know the details of the law. However, I don't think we have any export restrictions.
-- Will quantum computers run imaginary-time operating systems?
Crypto algorithms are short and sweet (well not always) but Crypto modes and protocols are often complicated and cumbersome, especially if you want the program to be useful.
-
The ITAR prohibits the export of 'crypto-enabled' software.
I don't get this. Is EMACS illegal to export? (It sure as heck has "hooks" to plug strong crypto into). What about Microsoft Word. (I wouldn't want to code an implementation of IDEA or something in VB for Apps scripty things, but...). Mabie you see my point... but if those are allowed, then any crypto hook would have to be allowed as long as the interface was sufficiently general.
-- The act of censorship is always worse than whatever is being censored. Always.
If you're working on a Free Software project, just do it, and if you think you'd have legal problems just deny that you contributed code to that project. Stupid laws aren't worth obeying!
-- The act of censorship is always worse than whatever is being censored. Always.
I know of no move that I personally could possibly make to change US fedral anti-crypto-export laws.
I do know that if I was connected to a non-us box thorough a well-incrypted connection, the fact that exporting crypto is illegal would become irrelevent.
Trying to change a law is nice, but the USA has 260+ *million* residents, the most I can do is try to suggest civil disobediance when it makes sense, and suggest lobbying government groups when that makes sense.
Resistance takes time and effort. When you just want to get work done, ignoring useless laws works better. If you ever get started organizing a group of people for the purpoise of actively protesting that set of laws, e-mail me, I'll probably want to join in -- but myself alone trying civil disobediance would be pretty much stupid (can you say getting tagged as a malicious "Hacker" and getting my PC taken away?). Attempting to lobby against the laws myself would be like banging my head against a stone wall, (Painful, time consuming, and not worth doing)
-- The act of censorship is always worse than whatever is being censored. Always.
Ok, this brings up another question which is probably still just as illegal, but what if you imported a file, created a diff and sent that out? What if your changes didn't have anything to do directly with the crypto (like working on the front end of someting that hooks into a crypto package)?
On the flip side, if you're using SSH, about the only practical way* for anyone to know if you're doing anything illegal is to search you out for TEMPEST emissions while you're doing it. <tongue-in-cheek>Hence the concept "It's only illegal if you get caught" :-)</t-i-c>
*: This statement is based on the security of the crypto algorithms used in SSH.
What if I produce jpgs of my diffs or source and
put the immages up for DL? along with some OCR
software and a make file? The question is if
it's a machine readable format, but the non-mechanicalness of a picture may make it more
clear to the judge that they are violating our
first amendment rights.
If that won't work what if I buy a fancy printer
that can put a stamp on it and mail it to a mirror
site in a free country? or do I need to mail it to lots of people for it to be ``publishing.''
Jeff
The Christian religion has been and still is the principal enemy of moral progress in the world. -- Bertrand Russell
The project is called free S/WAN (for Secure Wide Area Networking). Hugh Daniel is running the project, and he is scrupulously careful not to edit any of the code himself, or to accept any code written in the USA or by US citizens. When the Berstein case has been successfully concluded, then we'll be able to tell the JBT's to FUCK OFF and let us write whatever the hell we want to write. -jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
So, if a foreign embassy allowed you to work on crypto code on their soveirgn soil, wouldn't that be like commuting across the border each day to Canada (or, more awkwardly, Switzerland) to work on code, and returning home for dinner?
Is that legal?
If it is, I could see multi-story embassies becoming data havens for crypto work. Except that nobody would really do it -- political pressures being what they are.
Interesting thought experiment. If you can use it to prove how ridiculous the current laws are, maybe it will encourage their reform.
Hey, I like free strong crypto. But I bet if I had the weight of our government's responsibilities on my shoulders, I'd probably be pretty terrified of free strong crypto too.
-- There is no truth. There is only Perception. To Percieve is to Exist.
The problem with your argument is that when you think about it, anything transmitted over the internet is really just a series of bytes. The courts have made clear distinctions that what counts is not the fact that you're sending bytes over a T1 line, but what the context and content of those bytes are. The context of those keystrokes he's typing in is, in fact, cryptographic software. And that makes it illegal.
Let's say a developer in the US sends an email with a code fragment including crypto software outside the U.S. According to the courts, this counts as an export violation. However, it is not a violation if he writes his email using plain english to describe the changes without using any code fragments.
The other question you seem to be asking is, "Can you export crypto software imported from other countries?" Still, the answer is no, you can't. Technically, the US sees cryptographic software as a munition, and it is listed with the other munitions restricted for export. So, ask yourself this question: "Would it be illegal for me to export a hand-grenade that I imported from europe without seeking US approval?" No.
The real question here is of course "Where are you on the internet". The answer is obviously "A student came to Moon and asked...". To be hypotetically concrete:
If I am physically in the US (say on an extended vacation) but telecommute to Sweden to program for a firm that has hired me, pays me, and bills its customers in Sweden, where am I working?
Arguably, I am using up more swedish resources (administration of postal services, social security, and what not) than US (a couple of KB internet bandwidth that I pay for explicitly anyway).
The above case would probably be judged that I was working in sweden because I am employed by a company that is clearly in sweden. Now change the gedanken experiment to have me not employed but rather contracting... oooh! now I'd probably be working in the US.
The problem is that old labour laws (IANAL) are to new labor situations like newtonian physics are to quantum. The old way works fine as long as we don't look at the limiting cases, like one person working at a distance. (I couldn't resist a non-locality pun).
I've looked at some laws and they're full of things like preponderance of evidence, and other vagaries that make no sense when applied to an individual.
The short of it is basically that location is a null issue on the internet, and until governments recognize this, we're going to see one absurdity after another.
Yep, that was SWAN.
Any good prosecutor will nail you to the wall.
or why not just lie and say that you developed the crypto in an embassy?
...
Bitchslapped? Give Rob a bitchslap from bitchslapped.com.
What if you programmed a laser beam in Thailand to shoot somebody, but you didn't actually go pull the trigger yourself. Could that be considered indirect enough to be legal?
Piling on levels of indirection will not save you from an out of bounds exception!
Yeah, I'm a Mac programmer. You got a problem with that?
-- thinkyhead software and media
How would you teach evolution in Kansas if you were in some European country? You would have to teach it inside Kansas and then catch a flight to a European country. Well, there is long distance learning...
And how fscking arrogant can the US be?! Does the NSA, CIA, whatever-A think that no one who lives outside the US is SMART enough to make better cryptogrophy software than the US?! If that's the case, I'm embarrased to call myself a US citizen! Oh, but if cryptogrophy (better) is imported, well then, let's have a party!
And HOW can the government interpret work that I might do as having export restrictions? They can dictate WHO I can and cannot release my knowledge too or give my time to simply based off the where I park my rear-end?
And here I thought that Austrailia had some pretty stupid policies. This just tops the cake. I don't work for the government. Who are they do dictate what I do with my time and knowledge? Yeah, yeah. They're the government.
assert(expired(knowledge));
I think you meant:
...
It is illegal for a U.S. citizen to work outside the U.S. (land), because the U.S. citizen is still under the jurisdiction of the United States (the legal entity)
The question is, WHERE is the jurisdiction of the U.S. defined?
From the Constitution, Article 1, Section 8:
... To exercise exclusive Legislation in all Cases whatsoever, over such District (not exceeding ten Miles square) as may, by Cession of particular States, become the Seat of the Government of the United States, and to exercise like Authority over all Places purchased by the Consent of the Legistlature of the State in which the Same shall be, for the Erection of Forts,
The above shows that the jurisdiction of the United States (legal entity) is ONLY 10 miles from inside Washington, DC.
Please look up ex-patriate in Black's Law Dictionary, and look at the 14th amendment in the Bill of Rights for a solution.
> Use it. Whats going to happen? The crypto
>police are going to break down your door and
>beat you to death?
Agreed. What REALLY disturbs the hell out of me is, the number of people who are actually fearful of breaking this particular set of laws. There comes times when a given law is unfair, or totally out of touch, and people HAVE to fight it, instead of this "we'll just have to live with it until it gets changed" nonsense. Who's supposed to be running this country? The people! And every day that they let the government trample on our rights is one day closer to the time when we're totally without 'em.
-- www.bteg.com | bleh.n3.net | hac47.dhs.org
I agree that this stuff gets way to complex much too quickly. That's why I'm trying to get some clarification here...
So I write my code using a Plugin Crypto API, which I then publish. That's legal
To my understanding I can then write an encryption module within the confines of the crypto-export rules for distribution with the software.
But then after the code is released, someone else in Uganda writes a crypto plugin that exceeds the crypto laws. Now, I can import that module for my own use. But is it covered by the export laws in any way?
i.e. could I store this new module on my web site, and link it from the download page for other people to use?
Sig:
Barbeque is a noun. Not a verb.
I've been thinking about this type of thing myself lately. (#$%*@ Cryptonomicon)
The main question I keep comming back to is, what defines the crypto?
Say I and a buddy are developing an editor that encrypts the files when they are written/read from the disk. If he lives in Timbuktu and writes the crypto module, and I in the USA write functions that operate solely on the cleartext, can it be exported? Or is the whole project covered by the crypto laws by default?
Sig:
Barbeque is a noun. Not a verb.
Canada can export locally developed encryption add-nausiem...
:-)
OpenBSD is authored here, and it uses strong crypto. Hell, Theo's in my home of Cow Town
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
The export controls are placed on the technology, not the code. If you export changes in any form which causes the technology to be exported, then I believe you are in jeopardy.
This is really simple. The US views cryptographic software as a munition, just like a gun or a bomb.
If someone has bomb plans on the web, and you fixed them or sent them changes showing how to make the bomb into a better bomb, then you are obviously exporting bomb technology and subject to prosecution. It doesn't matter if you're changing the placement of a single bolt or gutting the chemical explosives and drawing in uranium spheres; you're aiding a foreign national to construct a munition, which is prohibited.
You're allowed to talk about *bomb technology* at technical conferences (although the wording of the export regs would much prefer that said technology *already* be in the "public domain"), but you're not allowed to build any real bombs outside the US or with non-Americans. Them's the laws. Simple, right?
Also makes perfect sense---if you think that crypto is anything like a bomb or a gun.
[
I assume you're planning on claiming the above perl is speech, not code?
[
This should explain a lot.
--
Industrial space for lease in Flatlandia.
I believe that the export of technical assistance (in this case, fixing bugs) with crypto is also prohibited. The corporate world (RSA, etc.) would have set up this sort of thing long ago otherwise.
The export laws are quite explicit in regulating the activities of a "US Person", regardless of where that person is located (inside or outside of the US.) A US person includes individuals who are US citizens as well as US companies. So, if a US Person is in Canada, or Australia, or Egypt or wherever, if they work on crypto it counts as an export. The whole issue of it being done over the net is a distraction.
It's irrelevent. The US is trying to hold onto a situation that was lost as soon as Zimmerman posted his code. All the export laws do is legislate against the citizens of a "free" country. BTW - Has anybody heard that the US now has the technology to break practically any block crypto techniques? Of course, the result of anybody drawing attention to this fact would be that nobody would continue to use block cyphers. Wonder if that would piss anybody off in the CIA? . Don't worry tho guys. PGP [international version] is not based on block cyphers and you can continue to use it safely!
Remember kids! Guns don't kill people - Americans kill people.
You're probably safe if you print the patches you wrote on a t-shirt that you wear on vacation :-) -DreamerFi
Unfortunately, Anonymous Coward is correct that, if an American citizen does this, it counts as technical assistance and is therefore as illegal as any other means of providing unlicensed crypto to foreigners (assuming the work is made available for access by foreigners, as opposed to fixing the crypto software at a foreign office of a US company, or fixing a product that was legally exported to a foreign bank or Friend Of The US Military-Industrial Complex.
The validity of US export laws is debatable (at least if you don't take the First Amendment seriously, which the government doesn't, but until it gets totally thrown out we're stuck dealing with it.) Some people are challenging it, and some people take the First Amendment as their defense and ignore it. However, if you're a company that's subject to other regulations, as all corporations and many non-incorporated businesses are, you have to take a conservative approach to avoid being either shut down directly or bankrupted by the cost of a legal defense.
Some companies or private individuals, like C2.Net software and John Gilmore's FreeS/WAN Linux IPSec project, take the approach of hiring non-US-citizens to develop the product outside the US - it's legal to import the crypto into the US, and the people providing the money aren't providing technical assistance to foreigners, they're customers getting technical assistance from foreigners. FreeS/WAN has taken an especially careful approach with this, because they want their product to be unquestionably legal for anybody to use, whether inside or outside the US.
Whether the export is detectable or not is a separate issue - :-)
Not Getting Caught is a different problem than Not Violating Bogus Rules
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Why not go to a local foreign embassy and do all the coding on foreign soil. Now thats a plan.
How can the gov. tell us we can't work on crypto. and then buy crypto. code from foreign companies?
What do you mean 'Linux in a nut shell', it don't fit.
I thought the whole point about MAI, which the Yanks (and, sadly, our toadying mob in Whitehall too) were vigorously supporting was that the US's laws would soon apply in all countries, whether they liked it or not... particularly when it came to the right of a corporate entity to rape'n'pillage for profit (see BGH, GM soya, Ethyl Corporation in Canada etc)
Hurrah for the French who told the rest of the OECD where to stick it (temporarily, at least).
--
Cheers
Jon
Cheers
Jon
Shame this was posted by AC: it'd have been worth at least +3 mod. points for outright satirical brilliance...
--
Cheers
Jon
Cheers
Jon
mmmmmmmm, love that mad cow
But how is this different from your buddy in Iraq calling you up and saying "hey, I'm trying to finish this killer encryption program but I can't remember how to do something simple, does this source code (spoken verbally, and just some little piece of class-definition code) sound right to you?"
Is it illegal to provide programming advice? What if you didn't know it was encryption code? What if it's just a load/store module for encryption code? What if it's just an FFT routine for encryption code?
-- "Those who cast the votes decide nothing. Those who count the votes decide everything." -Joseph Stalin
For things like 128 bit browsers and PGP, why do people bother with these complex schemes for legally bypassing the restrictions (e.g. OCR'ing the sources from paper)? I don't understand why the original files aren't made more widely available on servers outside the US - It's not like you're breaking any laws that apply to you if you host a copy of a 128 bit SSL browser or similar on a site that's located outside the US.
I'd like to see more places like ftp.replay.com (located in Holland, serving the US versions of all the browsers etc). If it's about US companies trying to sell their software abroad, ideas such as developing on a foreign server might be worth considering, but I think there's way too much fuss about getting hold of US versions of software - only one person needs to break the law by exporting (you're hardly gonna get caught for an ftp transfer), once it's outside export restrictions don't apply anymore.
I'm sure the US goverment would be happy for you to telnet in and destroy as much data as possible from the source tree. Adding , or auditing the code would be silly. Considerring the US has them internet listening stations all around I wouldn't want to risk it. Then again, with them listening stations I'm sure they would actually consider you a patriot for letting them listen to you log in. theres no telling how usefull that kind info is. especially since you made your intentions public on slashdot.
It isn't a lie if you belive it.
If all you are doing is bug fixes, there wouldn't be a problem, but why couldn't the person at the other end fix the bugs? Most crypto algorithms I've seen tend to be short and sweet, and if anyone is capable of devising and coding one, they can certainly fix their own bugs. Now if you were actually writing a small bit of the code which reflected crypto code in the country, the Feds would probably get you.
I personally think the regulations are silly. If it's possible to smuggle a bomb onto an airplane or through the mail, one could certainly smuggle a floppy disk. We're not preventing anyone who seriously wants our crypto algorithms from getting them. You want relatively unknown crypto, go work for the spooks.
In an Eutopian society, Politics and Government don't mix, neither do Academics and State Secrets. We are not, by any means, living in such a society. All this aside....
Ideas spawned in public institutions or in the minds of academics, novelists (who have inspired many a usuable invention through fiction) or anyone else for that matter are not normally censured in this way.
It seems irrational that everyone is so dependant on US sources for "techincal support" on crypto routines, but to achieve a common PGP style interface for all, it is logical to expect everyone to have the same encoding / decoding to be able to use the "envelope". And as many of the common operating systems development (besides OpenBSD, BEOS etc) reside in the US it would imply that the technology would have to be "imported" to be integrated into the OS before it could be "exported" again...SAME PROBLEM....
The crunch being, in a society where something is oppressed by law (like my homeland used to be) it takes a revolution / a few casualties / a few martyrs / and years in jail to finally overcome such restrictive legislation.
After reading a good number of the postings, it is clear that the only way to open this up would be for someone to actually break the law....The law itself seems to be so open to interpretation that there would be no way for a US citizen to offer assistance, technical or otherwise.
So what do you do...Wear a T-Shirtwith a PGP Algorithm printed on it???? You all know where that gets you.......